Legal updates and opinions
News / News
Mr. Pty Ltd, You Have a Right to Privacy!
When thinking about the Protection of Personal Information Act 4 of 2013 (“POPIA“) individuals often, mistakenly so, think about the protection of personal information belonging to themselves only. This is the case given that many jurisdictions, particularly the European Union’s General Data Protection Regulation 2016/679, only finds applicability in relation to the personal information of individuals.
However, POPIA’s reach is unique in that provision relating to the protection personal information extends beyond individuals to include juristic persons such as companies, trusts and associations. This broader application means that businesses must not only protect the personal information of individuals, but also personal information relating to companies and legal entities with which they engage, including its own personal information.
The Western Cape High Court (“High Court“)recently found that a former employee had unlawfully accessed and stolen sensitive company data over a 9-year period. From a POPIA perspective, there are certain important considerations that this judgement gives light to.
Last week, the High Court found that –
- a former employee of a poultry conveying equipment manufacturer, Technical Systems Proprietary Limited (“Technical Systems“), had unlawfully accessed and stolen over a thousand copyright-protected engineering drawings over a 9-year period; and
- these designs were used to replicate the production plant of Technical Systems allowing the former employee and his associates to compete directly and unfairly with Technical Systems for nearly 15 years.
The High Court ruled that the manufacturing operations of the former employee (and his associates) must cease and that there must be a destruction of all related stolen records from the computer systems and electronic devices.
What must be considered from a POPIA perspective is that –
- POPIA applies to processing of personal information of juristic entities in the same way that it applies to that of individuals. Section 14 of the Constitution of the Republic of South Africa, 1996 guarantees the right to privacy to every person in the Republic of South Africa. This right has been extended to juristic persons. In The Investigating Directorate: Serious Economic Offences and others v Hyundai Motor Distributors (Pty) Ltd and others In re: Hyundai Motor Distributors (Pty) Ltd and others v Smit NO and others [2000] JOL 7338 (CC), the Constitutional Court held that –
“Neither counsel addressed argument on the question of whether there was any difference between the privacy rights of natural persons and juristic persons. But what is clear is that the right to privacy is applicable, where appropriate, to a juristic person.”
- what this means is that when, for example, an employee unlawfully accesses or steals proprietary company data, it is not merely a criminal act or an internal misconduct issue, but a data privacy issue. Depending on the facts, it could also constitute a cybercrime issue. We say this because the Cybercrimes Act 19 of 2020 (“Cybercrimes Act“)makes provision for theft of incorporeal property.
Of note also is that the theft of company data constitutes a data breach (also called a security compromise). To this end, the High Court recognised that there was a theft of incorporeal property – in other words the intangible (personal) information that belongs to Technical Systems was acquired by an unauthorised person. Section 22 of POPIA has a wide meaning as to what constitutes a data breach. A data breach is defined as “any unauthorised” access or acquiring of personal information. When a data breach occurs, it is important to remember that there is a duty to report the breach to the Information Regulator and to the affected data subjects, by the entity who suffered the breach (also called a responsible party).
Companies must recognise that their personal information including their incorporeal property is invaluable and is similarly worthy of protection as that of any individual. This includes protection in terms of POPIA and the Cybercrimes Act.
POPIA provides for a clear definition as follows –
“personal information” means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person…“
Latest News
Cracking Down or Catching Up? South Africa’s Approach to Crypto Regulation: Part 4 – Exchange Control Update
by Deon Griessel, Director, Armand Swart, Director, Hlonelwa Lutuli, Associate and Khanyisa Tshoba, Associate In our previous article published on [...]
Business Rescue at the Crossroads: When Creditors Draw the Line
by Dr. Eric Levenstein - Director and Head of Insolvency & Business Rescue, Amy Mackechnie, Senior Associate and Clio Patricios [...]
Courts Enforcing The Right Of Access To Healthcare In Gauteng
by Helen Michael, Director, Slade van Rooyen, Associate and Vhutshilo Muambadzi, Candidate Attorney The present dire state of public healthcare [...]
NCR Throws a Lifeline to Consumers Required to Pay Premiums for Mandatory Credit Life Insurance
by Dylan Cunard, Director and Brendan Olivier, Director In a much-needed victory for hard-pressed consumers, the National Credit Regulator ("NCR") [...]
The Impacts of Cross-Border Restructuring Transactions on Your South African Mining Right
by Sandile Shongwe, Senior Associate and Kyra South, Director (assisted by Gracie Sargood, Candidate Attorney) The proposed amendments to the Mineral and Petroleum [...]
Global AI Governance Frameworks in a Diverging World
by Ahmore Burger-Smidt, Director and Head of Regulatory “The biggest lesson learned is we have to take the unintended consequences [...]
